SRWare Iron Browser – A Private Alternative To Chrome?

A noble endeavor. Or at least it would be if there were any credible aspect to the program. The labels “scamware” and “scareware” are fitting here.

Iron v Chrome

The SRWare Iron Browser website has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.” The Iron Vs Chrome page is riddled with misinformation and false implications – it’s incredibly blatant that the iron developer is using scare tactics here.

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

The installation ID only runs once and then it’s removed.

The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All the Iron browser has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron browser developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

Navigation errors are first checked locally.

Only a hash is sent to google.

All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium, the browser Iron is based on.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited the Iron browser in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since the Iron browser provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist in order to turn a profit. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?<Iron> because a fork will bring a lot of publicity to my person and my homepage <Iron> that means: a lot of money too ;)<Iron> i dont take money for my fork <Iron> but i have adsense on my page ;) <Iron> a lot of visitor -> a lot of clicka > a lot of money ;)<Iron> we are here in germany <Iron> the press will love my fork <Iron> i talked to much journalists already <DrPizza> Why are you forking? <DrPizza> to do what? <Iron> to remove all things in source talking to google ;) <jamessan> to get fame and fortune <Iron> nobody here trusts google <Iron> the german people say: google is very evil <jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added that could easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

The Iron browser is a scam and the developer is using you. It’s snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending the Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts. PCLinuxOS has dropped the Iron browser from their repositories after reading this post.

You write, “The installation ID is the same for all Chrome installations.”

Google’s PDF you linked to reads like this, “Requests for component updates contain these IDs and the components’ versions — as every installation uses the same ID, these are not personally identifiable.”

Seems the component IDs are the same for each installation rather than the Chrome installation ID, which the white paper refers to as the randomly generated “installation token”. Randomly generated would imply that they’re not the samefor all Chrome installtions. Have you read or been told otherwise from Chrome’s privacy team?

First of all, there is an installation ID (iid) which is created at install time to de-dup install counts. This is necessary to accurately count the number of successful installations that have occurred. The iid is generated randomly (not based on any other information) and is deleted in the next update check after first run.

There is a second ID called the clientID which is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how the product is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics on the “Under the Hood” tab of options.

Thanks for the comment I’ll update my post to reflect this. In other words:
The installation ID is created randomly and then deleted after the next run, the clientID is the same for all installations and is used for metrics if the user Opts-In for that.

You should also note that RLZ-tracking is actually only included in promotional releases of Google Chrome such as ones bundled in software. RLZ-tracking does not exist in the builds that downloaded and released directly on google.com/chrome

He he, I now know the differences beetwen (like it is spelled on the site of Iron) Iron and Chrome. Never used Iron, not going to either after reading this.
I’ve used Iron Portable, because it is, well, portable. But after I found PortableApps.com I now use Google Chrome portable.

Don’t worry, I use an adblocker, so Iron never made any money from me!

You have done an excellent article exposing what I would call “exploit-ware” rather than “scamware” or possibly “scareware”. A lot of those “features” can be turned off etc, but I think people use Iron because those they believe features shouldn’t even be in their browser to start with.

There is this notion that if it’s not tracking individuals and not a “privacy” concern that it’s not a security issue.

This is exemplified in your statement “…unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.”

The issue that I believe all this tracking raises is not privacy, but rather security- and not that of the individual.

I use adwords myself and if you’re an advertiser then it’s awesome to track what the market(herd) is doing and lure them to your product. But to suggest that it’s okay as long as no individual’s or personal information is tracked is short-sighted or misguided in my opinion.

That’s like saying that a school of fish has nothing to worry about as long as I’m not tracking individual ones rather than the entire school.

The truth is that if you know what they’re biting on and when, then you can not only lure and hook one, but you can herd the entire colony and manipulate it to your every whim.

For those that like to be manipulated into buying the newest smartphone you may not mind being lured like an animal. For me the question becomes: Are you a man, or are you a fish?

I think tracking of the herd is just as dangerous as tracking individuals. This sort of technology can be used to track entire groups, whether they are political or religious or whatever.

I find that this article is misguided…. Sounds like it was written by a Google employee himself… Knows easy to much about the inner workings of chrome, its policies and even its employees.
I do not trust Google one bit. They are (much more than they poor SRware developer) only concerned about making money and their only attempt at anything privacy related is self guided and often with evil intent.
That a small developer writes a little app that turns ON a few settings by default to make the experience only a little more secure is already a brave effort – even if he makes a few hundred dollars more with adsense revenues.

The other thing about Iron is that, in my experience, it has more bugs than in chrome/chromium. Some extensions don’t work right, and all extensions are seemingly incapable of playing any kind of sound.

The comments here about SRWare Iron Browser may be true; however the bottom line & what really matters is that SRWare Browser performs well, has a significantly smaller install size than Google Chrome Browser & is updated regularly, so what sound reason is there not to use such a product? I’ve been using SRWare Iron from the beginning & haven’t had any problems to speak of at all to date–I have used other Chromium Browsers including Google Chrome & Comodo Dragon, but certainly can’t say without various issues.

You are a moron. At the end of the day, given a choice whether I would like to share what I do with others or not, I would go with not. It’s basic common sense. There is no such thing called ‘harmless invasion of privacy’. As for the Iron developers using Adsense on their website, I don’t see the problem there. According to your idiotic opinion, the average user is much better of using Chrome, sharing everything he does with Google, as opposed to using Iron, protecting his/her privacy, at the expense of one Ad on the developer’s website (NOTE: it’s not on your computer as with Chrome, but on the developer’s website, you idiot!!!) at the time of downloading the software.

Bob Loblaw, in his post above, elucidated much better than I did, the dangers of being tracked whether as a herd or as an individual. More importantly, a browser that disables reporting back to the mother ship by default, IS a lot better. Because vast majority of users are not technically savvy, do not understand privacy issues and NO, they CANNOT research about how to secure their browsers, because they DO NOT understand the implications of what they are dealing with. They trust large companies such as Google, and get screwed in the process. If the developers of Chrome were so honest, they should have made tracking an option that can be enabled by users if they wish to be tracked. But they know, as well as anybody with a pea sized brain does, that given the option, no user will ever agree to be tracked. Which is why they insidiously enabled it to begin with. So your logic and argument falls flat on its face, just like you do, with your vile sh1t which is both misleading and confusing for the average user.

And oh yeah, add pompous to the list of adjectives that can be used to describe you. “PCLinuxOS removed Iron after they read this post”!!! Man, you seriously need to get your head out of your a55!!

This is not about “harmless invasion of privacy” – there is literally no invasion of privacy in the features listed on Iron’s website. Read the article, because it seems like you either didn’t read it at all, or just didn’t understand it.

So, as you say, a browser that disabled “reporting back to the mothership by default”, that’s an issue. Because, if you’d read the article, you’d know that Chrome doesn’t “report back to the mothership” and I broke down *every single feature* of Chrome that the Iron browser calls a privacy issue and I explain that they have nothing to do with sending Google your info.

Your argument is really not convincing, as it’s mostly saying “you’re wrong you’re wrong you’re wrong” over and over again. Notice how in my post I take everything that the developer has said and I explain, with sources, exactly how they’re lying to their users? Please, take that format and apply it to my post. Convince me that the Iron browser isn’t bullshit, tell me how they aren’t being intentionally misleading when you can *read my post detailing what ever feature does*.

I’m very proud that PCLinuxOS removed Iron after reading this. I had a great discussion with their community after they linked to this post and they agreed to remove it. It’s wonderful – no one should tolerate this scamware.

The flaw in your argument is that just because the developers of Iron decided to use AdSense on their website, everything they do, all their products, are scamware! I don’t see how one’s need to make money has anything to do with their product quality or their intentions? On that token, anything we ‘buy’ or ever paid money for is crap! I remind you again, the ad that got your panties all in a bunch is on the developer’s website, not on my computer, yours or of that of any user who installs Iron browser.

Now here’s the issue that I have with Google or anybody else installing code or software on my computer that allows them to track me, make intelligent guesstimates about my actions, and in many cases, way more than just guesstimates: It’s just not their’s to make that decision. It’s akin to saying you are ok with someone staring at you through your window, as long as they can only see your left butt cheek without associating it to your face. No thanks. No butt cheek, no face, no staring, period.

With regards to your “I take everything that the developer has said and I explain, with sources, exactly how they’re lying to their users” statement, here’s the problem with that. Again, your whole argument is that as long as the butt cheek cannot be associated to the face, it’s ok to be a voyeur. Specifically, it’s ok for the builder of my apartment building to build my apartment preinstalled with a voyeur view, since the butt cheek presumably cannot be associated to the face, as long as the option exists for me to spend my own money (read my time) to figure out how to remove/disable the voyeur view.

Really? That’s your advice? Trust Google? Use software that enables a bunch of options that could potentially be used to track you, monitor your actions, predict your behavior? And you are going to slam a developer because all he wants is maybe a few bucks here and there, if, and very specific if, someone clicks on an ad on his website? Again, his website? Note that the very thing you claim is a good thing, actually flies in the face of your own logic, since if you indeed got PCLinuxOS to remove Iron from their repositories, you just forced every user running PCLinuxOS who wants to install Iron browser, to go to Iron’s website, and view that very Ad that you claim is the root of all evil!

For anyone who is really interested in learning why privacy concerns are so valid, please take a few minutes to read through this question on StackExchange

Notice how the Google team constantly keeps whining about their ‘good’ intentions? That’s just another example of how you cannot blindly trust even independent open source initiatives such as Firefox without really knowing what you are doing. Which is something 99.99% of users, believe or not, don’t, and cannot be expected to, since they use computers as a tool and don’t need to be experts in them.

Hence your notion that Iron is crap because all it does is disables voyeur views by default, is flawed, and misleading to the average user who in reality is indeed much better off using a product that does not require him to research ways to protect himself. Further, the fact that someone decided to download Iron does not necessarily mean that they understand the privacy implications of the products they are using and are automatically qualified to do the necessary research to figure out how to disable half a dozen homing beacons on their Chrome browsers. Because a lot of these users could have been referred to Iron or Comodo or other such browsers by well meaning and more technically savvy friends and colleagues. These users will end up with a more secure and more private online experience, without having to understand the intricacies of Google’s ‘take over your wardrobe’ strategies. And that’s a good thing.

Bottom line, I don’t understand why someone like you, who is obviously well informed and technically savvy, would dedicate a page attacking a product, and try to discourage the general user population from using a product that if nothing, simply reduces the surface area of exploits. Just because the developer of the product has an Ad on his website? Seems mighty lame to me.

I’ll respond to each of your blocks independently. I do like discussion of issues.

The flaw in your argument is that just because the developers of Iron decided to use AdSense on their website, everything they do, all their products, are scamware! I don’t see how one’s need to make money has anything to do with their product quality or their intentions? On that token, anything we ‘buy’ or ever paid money for is crap! I remind you again, the ad that got your panties all in a bunch is on the developer’s website, not on my computer, yours or of that of any user who installs Iron browser.

So, first of all, none of my argument hinges on the AdSense. I actually wrote the entire article *before* I even knew about the adsense bit, I edited that in months later.

Second, the adsense serves to point out the hypocrisy of damning Google’s browser and then using Google ads to make money. Beyond that, the ads are actually “on” the users computer, as they are bookmarked, and, by default, exposed to the user.

Now here’s the issue that I have with Google or anybody else installing code or software on my computer that allows them to track me, make intelligent guesstimates about my actions, and in many cases, way more than just guesstimates: It’s just not their’s to make that decision. It’s akin to saying you are ok with someone staring at you through your window, as long as they can only see your left butt cheek without associating it to your face. No thanks. No butt cheek, no face, no staring, period.

That’s fine. They didn’t install anything on your computer that allows them to track you. Chrome’s browser does not track you, or report back to google, in any way that tracks you. And, in any case where you feel that data may be exposed, they provide the ability to disable features relevant to such a situation – in other words, some features may expose information (ie: safebrowsing API can, in some cases, allow them to see a partial hash of a website) but can be disabled, and the features are independent of ‘tracking’.

Really? That’s your advice? Trust Google? Use software that enables a bunch of options that could potentially be used to track you, monitor your actions, predict your behavior? And you are going to slam a developer because all he wants is maybe a few bucks here and there, if, and very specific if, someone clicks on an ad on his website? Again, his website? Note that the very thing you claim is a good thing, actually flies in the face of your own logic, since if you indeed got PCLinuxOS to remove Iron from their repositories, you just forced every user running PCLinuxOS who wants to install Iron browser, to go to Iron’s website, and view that very Ad that you claim is the root of all evil!

My advice is “don’t trust Iron”, not “Trust google”. Iron’s actions are *only* about making money. They are not “Oh, I’ll put out a product I believe in and hope I make some money back” they are “I’ll lie to a bunch of people about a product so that I can sell my own”.

Hopefully by removing it from the repos people simply *won’t* install Iron. Anyone who wants to see the reasoning for Iron being removed can just go to their forum and see the discussion.

Notice how the Google team constantly keeps whining about their ‘good’ intentions? That’s just another example of how you cannot blindly trust even independent open source initiatives such as Firefox without really knowing what you are doing. Which is something 99.99% of users, believe or not, don’t, and cannot be expected to, since they use computers as a tool and don’t need to be experts in them.

Odd. You linked to the SafeBrowsing API, which I referenced earlier, and posted about. See the information on my post for why SafeBrowsing (again, can be disabled) is not a privacy concern, nor is it designed for tracking, nor would it really be useful for tracking (as it always checks locally first, and only sends partial hashes to Google if the local check fails).

Hence your notion that Iron is crap because all it does is disables voyeur views by default, is flawed, and misleading to the average user who in reality is indeed much better off using a product that does not require him to research ways to protect himself. Further, the fact that someone decided to download Iron does not necessarily mean that they understand the privacy implications of the products they are using and are automatically qualified to do the necessary research to figure out how to disable half a dozen homing beacons on their Chrome browsers. Because a lot of these users could have been referred to Iron or Comodo or other such browsers by well meaning and more technically savvy friends and colleagues. These users will end up with a more secure and more private online experience, without having to understand the intricacies of Google’s ‘take over your wardrobe’ strategies. And that’s a good thing.

It disables nothing relevant to privacy. That’s the point I’ve made in my article, and I’ve sourced it quite a bit. They also wind up with a *less* secure system, as I point out in my article, as they are behind on patches.

Bottom line, I don’t understand why someone like you, who is obviously well informed and technically savvy, would dedicate a page attacking a product, and try to discourage the general user population from using a product that if nothing, simply reduces the surface area of exploits. Just because the developer of the product has an Ad on his website? Seems mighty lame to me.

It doesn’t really reduce the attack surface much. It does definitely increase the time-to-patch (time-to-exploit) and it also removes the SafeBrowsing API.

I am a very tech savvy guy. I know quite a lot about programming at this point, and much more about security than when I wrote this article, actually. My views of Iron have not really wavered, despite my continued education. I feel it is my responsibility as someone who *is* able to understand these concepts to let people know that they are downloading a program that is arguably *less* secure for no legitimate reason.

Wow! Insanity might best be seen not from the bit but, from the one who seems to have a kinship with Iron. I run Chrome with a few extensions for security/privacy along with all the appropriate boxes either checked or unchecked. No problem.

The OP is giving Google the benefit of a whole lot of doubt there. I’m not bothered if Google Updater is open-source or not, what concerns me is that it installed itself behind my back, along with two hidden scheduled tasks to reinstall it on deletion, and stole 750M of my bandwidth before I caught it. GU is malware in everything but name.

Not really. I don’t have to give an open source project the benefit of the doubt, anyone is welcome to simply look and verify for themselves.

I would hardly say it installed itself behind your back. It installs alongside Chrome to keep it up to date. Just like any autoupdater does.

Considering it’s not malicious it doesn’t make too much sense to me to call it malware. I also don’t know why anyone would want to remove it. 750MB is not much bandwidth, especially considering a Chrome update can be about 10% of the size of that.

Actually i dont know why anybody is using this Iron stuff.
Its full of advertising.
I have Superbird installed and the sourcecode is available from the downloadpage too:http://superbird-browser.com/download.php

Many people on the world use SRWare Iron^^, for simply superior reason:
* launcher (portable version) can support all command-line feature
* UA.ini
* adblock.ini, Superbird used too
* privacy.ini
* faster

I have no problem whatever with someone wanting to make money from click-throughs to their site, which seems to be your reason for sticking the “scamware” label on Iron Browser. As an Iron user, that money is not coming from MY pocket, so I would say you can’t justify calling Iron Browser a fraud or a swindle. In theory you could — at a stretch — justify the “scam” label because the claims made on the Iron Browser site are borderline honest, but I still think that’s a LONG stretch.

Does Iron Browser itself contain any malware, or any attempt to swindle or defraud the user? No. Does the Iron Browser developer’s site contain any malware, or any attempt to swindle or defraud the user? No (not in my opinion, anyway). In reality, the worst that can happen to you personally by using Iron Browser is that you’ve made the guy 0.001c by visiting his site. Do you REALLY believe that’s worth making the big hoo-hah you’ve made about it? Taking the basis of your argument further, why aren’t you raising an equal amount of fuss about the literally millions of Web sites world-wide which are “scamming” their users because they earn pay-per-click and/or click-through revenue without making that clear to their site visitors?

The bottom line from where I’m sitting is this: Iron Browser does no actual harm to anyone, so unless you can prove to me that it contains malware, I will continue to be a very happy Iron Browser user. Your argument that Google Chrome browser also does no actual harm to anyone (if you aware of and “switch off” the features you yourself mention) is frankly irrelevant to me and many other computer users worldwide, because the fact is: we simply don’t trust Google any more as a company based on their past privacy cock-ups.

I’m with TallPaul on this one: I think you’re making a storm in a teacup on this whole issue.

By the Oxford dictionary definition it is a scam, as it is dishonest. The fact that he profits off of his dishonesty just makes it worse. The claims on the site are not “borderline” they are outright false, they are *lies*. I outline that very clearly in my post, I explain in detail why they are outright false.

I think you’re confused. My issue is not with websites using pay-per-click. I don’t care about that. My issue is a product lying to users and then attempting to profit off of those lies.

I think you’re also confused about the “Google chrome does no harm *if* one disables the features) bit. I explain all of the features and why they are *not* privacy issues, I further explain that, if one feels worried despite what I’ve shown, they can simply disable them.

Why do you not trust Google yet you trust a developer who puts ads in your browser, lies to you blatantly, and who hasn’t released source code to his “open” browser in ages?

Iron is a scam. The developer is lying to you. I take issue with that.

I have only now discovered your (very well written!) article about the browser I’ve been using for several years now without really questioning the claims its developer makes. Although I consider myself a skeptic i sometimes catch myself trusting someone right away – often just because I lack the time for research at that point. Thank you for undertaking that task in my place and presenting the results in a reasonable form while giving relevant sources at the same time. Unlike other commentators before me I never took your point as a blatant rant but as a justified counter statement to the Iron developer’s claims. I will uninstall the browser I am using to type this as soon as possible and do some research on my own about an alternative. I take your article as a starting point and look into Google Chrome a bit as well as the latest Firefox. Thanks again! I’d wish articles like this one weren’t so hard to find in today’s ranting and bashing media culture…

I appreciate that feedback, thank you. Yes, it’s hard not to just take claims at face value, I do it myself all the time – we all do. The goal of this article was, as you say, for me to do that part in your place.

Although I consider myself a skeptic i sometimes catch myself trusting someone right away – often just because I lack the time for research at that point. Thank you for undertaking that task in my place and presenting the results in a reasonable form while giving relevant sources at the same time.

Seriously Dude??
You are a gluttant for punishment too?
Now you are trusting this OP on face value LMFAO!

If you BOTHERED to follow the appropriate link for the discussion he “pasted”, rather than accepting the OP “undertook that task in YOUR place”, you would have discovered the OP did some editing and took the
discussion out of context!

Had YOU bothered to read through the original discussion, you would have found the IRON position far less evil than the OP is claiming.

I didn’t cut any context out. If anything, I’ve *given* context to the claims of the Iron developer. If you feel that I’ve left something in my article out, feel free to mention it and source it (as I have done).

I do not work for any browser vendor or any company that would have any interest in Iron’s rise or demise. I make no profit from this article, whatsoever. I do not put ads on it. I do not work for someone who asked me to write it.

I first read this piece, and set a bookmark to it… oh… I dunno… I suppose it was about a year or so ago. I’d look at the date of the bookmark, except that I’ve since edited it, and that made the date more recent. I think, though, it was maybe very early 2013, or very late 2012. Or, who knows, maybe it was closer to mid-2013; I just can’t remember. All I know is that while searching for others’ mention of what I briefly thought was a bug in IRON a couple nights ago, I somehow re-stubled-onto this blog posting; and re-read it; and re-enjoyed it; and I’ve found it to be churning around in my mind a bit ever since. Now, today, I guess, I’m finally ready to write something, here, about it, to wit:

I’m an IRON browser user…

…but mostly just ’cause it’s one of the best portable versions out there. I realize Chrome’s available in the “Portable Apps” portable format; but there’s a difference between an app like IRON that’s made to be portable in a generic way, by those who release the installable version, versus something that’s really only installable, by nature, but has been forced into portability by a portability utility which complies only to a certain portable format standard like the portable version of Chrome.

Sometimes that whole “Portable Apps” thing can make something kinda’ unstable. When I first fiddled with portable Chrome, it sure was buggy. And that particular version, at least, back then, was, for some reason, quite out-of-date. I see that whomever is doing the Portable Apps version of portable Chrome is keeping-up a lot better, now, though.

My point is that when I found IRON, yes, I was impressed by what it claimed were its security features (though as a loyal user of several COMODO products, I also knew that COMODO DRAGON was likely as good; though, back then, COMODO, too, was several versions of Chromium behind; and COMODO, too, is now better about that), but I mostly just wanted IRON’s portable version so that I’d have a really decent Chrome look-and-act-alike that was made to be portable from the gitgo, and not forced into portability by a utility.

Yes, indeed, IRON isn’t updated as often as is Chromium (or Chrome), but it’s often enough… much better than it had been for a little while, a while back. Getting an IRON update every two to three months is perfectly adequate; and I suspect that if push came to shove, you’d have to agree with that. IRON is updated about every couple or so months; sometimes more often, sometimes less often, but around every coupla’ months or so, give or take. C’mon: that’s good enough for most users.

The problem is that it’s always behind, even when it’s updated; and so one could argue that while its frequency isn’t half bad, the net effect is is that it’s still too far behind. And so on that one, I must concede. (See? We got some give-and-take goin’ here!) [grin]

I also agree with those, here, who’ve made the very basic, and basically unassialable point of that when it comes to any software’s “phoning home,” there tends to be no gray area. It’s either right or wrong; and so there is really no amount of information which flows from the browser to Google that’s okay; no matter how provably innocuous. When it comes to “phoning home,” it’s either right or wrong, and even only one bit of data is wrong.

Sadly, I don’t like the way that at least some of them made that point, here; and so I’m sorry that you had to endure their abuses.

Certain subtleties about the Google updater also appears to be something that are ever-so-slightly escaping you. Yes, I understand what you’ve here written about it; but the reason so many see it as almost like malware is, in part, because of its behavior and its refusal to allow itself to be controlled by the user; as well as its taking, rather than asking for, bandwidth. What you may not realize is that we, for example, AT&T DSL users have, for a few years, now, not had unlimited monthly bandwidth anymore. If we’re regular AT&T DSL users, we get capped at 150GB per month; and if we’re AT&T U-verse users, we get capped at 250GB per month, none of which is used by other U-verse services like television or telephony. But we’re all still capped…

…and those of us who use something like Netflix , and who have several family members using the DSL connection in the house, can quite easily hit our monthly cap. And so we don’t appreciate it when, for example, a website auto-starts/auto-plays (or even just auto-bufffers) audio and/or audio/video streams immediately upon our mere landing on the site, without our having first clicked on a “Play” button. That’s *OUR* bandwidth the site’s effectively stealing, don’tcha’ see.

Similarly, if an updater won’t allow itself to be controlled and turned-off so that it will only run when we want it to, it’s effectively stealing our bandwidth, in a way. Control, for users like us whose monthly bandwidth is now capped, is everything!

And so in addition to the clandestine overall behavior of the Google updater (what with its secretly installing itself, and then completely controlling itself without offering us the slightest bit of it; and its weird and malware-like thing where it keeps reinstalling itself even after we’ve done something like used REVO Uninstaller Pro to rip it and all its vestiges out by its roots), the whole not letting us control its bandwidth usage just really grates on us. I think your whole that itt’s open-source and whatnot argument just kinda’ misses all that.

I’m not saying that, then, the Google updater is bad. I’ve actually come to like it, in my old age. So we’re actually not far apart on that, either; but I’m just sayin’ that I think some of the arguments against it have not been well made, here; and so maybe you kinda’ missed and didn’t appreciate them…

…for whatever that’s… you know… worth.

Anyway, the bottom line, for me, is that I do, indeed, get your points; and though I would have presented it all, here, differently, had I been you, so that I would not subsequently be backed into the corner you appear to be in wherein ya’ kinda’ can’t retreat from your strident initial position, I completely get — and even agree with — a great deal of what you’re saying, here.

IRON’s maker would be considerably more credible, indeed, if he had been differentlly motivated; and had he been less misleading about what what he’s done to Chromium actually accomplishes. No argument, here. Just as there is no wiggle room, in my opinion, regarding the browser conveying infromation to Google, there’s no wiggle room on truth. And IRON’s maker would most certainly seem to be playing fast and loose with that. Your overarching point, regarding that, is unassailable.

So, in the end, we’re more in agreement, you and I, than in disagreemnt.

Moreover, I, for one, am very grateful for this blog posting of yours; and thank you for it. It contains much to think about. Good work.

One thing that would be very helpful, I think, would be if you or someone here could explain precisely which user-achievable settings in compiled Chromium would, if made by the user, replicate or, by whatever other means, achieve what IRON claims to achieve. That of it which may only be achieved at the coding level is one thing; and it would be nice to know what is both that which may only be achieved through coding, versus that which could be set by the end user (probably on “chrom://…” pages).

If you or someone reading this could spell all that out, that would be unbelievably helpful. It could even, I would think, help people to move off of IRON and over to Chromium; in each new update of which they could just make said settings and away they’d go. So, then, you’d REALLY be able to hurt IRON , at that point, if you provided such information here.

Another thing that would be helpful is knowing more about you and your background and allegiances (if any) which might influence (or not) your opinion of such as IRON (versus Chrome). For example, if it turned-out you worked for Google, or were a contractor thereto, or if you worked on Chromium…

…that, obviously, would be something that the reader of this anti-IRON blog posting would probably both like and deserve to know. I’m not accusing you of conflict of interest, by the way. Rather, I guess I’m just wondering why you’re not making sure everyone’s crystal clear on that there isn’t any. I’m surprised, for example, that your “About” page really doesn’t contain very much about you.

Even your domain name’s public WHOIS record is obfuscated by an anonymous domain registration service; and that, in an age when, for example, Germany requires its “impressum” on all German websites as a consumer protection, is always suspicious, to me. What can I say.

People’s credibility is always enhanced by their being identifiable. That’s why I’ve posted under my real name in the real and brick-and-mortar world ever since I first began on the Internet, back in the ’80s, years before the worldwide web part of it even existed. (I’m an oldster, dontcha’ see!) [grin]

That said, anonymity has its place in the free speech marketplace of ideas; and so I’m always hesitant to demand that someone who’s genuinely and thoughtfully expressing himself/herself, but simply doing it anonymously for whatever reason, reveal his/her identity. Without the anonymous posting of bills and the pamphleteering of the 17th century, the United States would never have come to be. Sometimes lack of anonymity chills free speech, and so I’m not hard-and-fast about one always identifying oneself.

So, since you’re obviously earnest in what you’re doing, here; and are not what I would consider to be “abusing” anonymity, I’m certainly not going to demand that you identify yourself, and give us all your details so that we can figure out, for ourselves, whether you have any conflicts of interest. That said, it seems that you could more completely describe yourself, and your both experience and general employment and skills and place in the universe, on your “About” page, than you currently do. Just my opinion, mind you. You’re free to ignore it. My ex-wife certainly always did.

What would be helpful, in any case, is enough information about you, and what you do, and what you know, and where you stand on anything at least related to the subject (and all surrounding it) of this anti-IRON blog posting so that we who are reading it can know (or at least intuit) if you (might) have any ax to grind; or any skin in the game which could influence your opinion and how you’ve here presented it.

If you can figure out a way to do it such that you can still remain anonymous, then all the better. I’m not interested in peeling away your veil so much as I am just wanting to make sure that you’ve got no inherent conflicts of interest in your assessment of IRON. I can’t imagine that you do, mind you; but I’m just sayin’. Remember what they teach attorneys in law school, and in preparation for the ethics-related part of the state Bar Exam (which, in most states, now, is handled by the separate-from-the-bar, Multistate Professional Responsibility Exam (MPRE)): they teach that it’s not really actual impropriety that they need to worry about; but, rather, just the appearance of impropriety that can really hurt them in their careers; or even get them disbarred.

I’m not really worried that you have any real conflict of interest regarding this blog posting (though your zeal does make one wonder, at least a little). Rather, I just want you to directly address it, somehow, so that the reader’s wonder about whether you’ve actually secretly got some kind of skin in this anti-IRON game is eliminated. Might there be some way that you could do that here? It would be much appreciated, if you could.

And then, maybe, please also expand your “About” page so that we know what kind of person’s words we’re reading, here. I think that would be helpful, just generally. Or so, at least it is my two cents worth…

…which, it’s worthy of note, my ex-wife will happily attest tends to be about all it’s ever worth! [grin]

Thank you for reading, and your thoughtful reply. It naturally deserves a proper response, so hopefully this will do.

In terms of portability you’re correct – Iron is portable, and that makes it easy to use. This is probably its only marketable feature that I feel is legitimate in any way, you can download and run it and that’s nice.

It’s probably the most oft-cited reason for people who use it, they want a portable browser. I personally never had problem with the PortableApps version of Chrome that I used to use but it’s been a long time.

In terms of updating I do have to disagree, sorry. Being a few months behind patches is really quite serious – while Chrome users are almost never attacked in the wild it’s really not good practice to be months behind patches. In a few months I’m quite sure an attacker could chain publicly disclosed vulnerabilities to target Chrome users, though this is unlikely since it would only work on Iron users, and I assume there aren’t many.

So while the practical danger may not be huge (people don’t care enough to target Iron users, naturally) it’s still really not very good to be so far behind. This goes to something I’ve talked about a lot – what makes a product secure; is it whether it gets attacker or whether it can be attacked? In my opinion whether Iron is or is not attacked has no bearing on its security, it *can be* attacked more easily.

My 2 cents on that.

In terms of phoning home I’ve tried to do my best to show that the phoning home is in the ‘good’ side of things – ie: the data is used to provide a feature, not for tracking.

That said, the article shows how to disable it. I may update it later to include exactly which settings will get you to an ‘Iron’ state.

The Chrome updater will update Chrome, which will use bandwidth. But when it just *checks* for an update it should use virtually nothing, and it should only check about once a day. It would probably have to check a couple million times to make an impact on your bandwidth.

I sympathize, I have no data caps thankfully but I know they can be a pain to deal with. Chrome’s autoupdater is ‘resilient’ to say the least, it makes it difficult to disable. This is technically a bug, which Google has claimed is with the Windows startup manager, no idea though.

I’d like to see a way to disable the Chrome updater as well in a simpler fashion, I’m all for having more control over your system – it’s one of the reasons I loved Firefox so much.

I myself am a student. I don’t hold a permanent position though I’ve been hired by one company with absolutely 0 affiliation with Google. Once I’ve started there I may post more. It’s not hard to find lots about me with a bit of Googling, you should end up at a LinkedIn profile with just a bit of work. Not that I encourage it, while I can’t practically separate these things and I don’t attempt to much (outside of a simple whoisguard, which I enabled because I’d put way more information than I’d meant to when I purchased hosting, and it was all made public information) I do prefer to go by insanitybit here and not my real name 😛 but it’s no big deal. I may update my ‘about’ page to reflect my life more, it’s been a long time.

I can assure you that I have no direct or (As far as I know) indirect relation to anything that would bias me against Iron. I have never been employed by a Google affiliate, and, while I do have friends at Google I’ve also got friends at Mozilla and plenty of other companies so I guess it all just cancels out lol

My zeal is a direct response to my absolute distaste for lying. I think the Iron developer is a liar. And I think he’s taking advantage of people with his lies in order to get money. That bothers me in a fundamental way that is entirely divorced from my opinions of Google or any other company.

Thanks for the response Gregg and I’m glad you enjoyed reading. I’ll take what you’ve said into account.

I love your response. Thank you, so much, for it. And I have no trouble believing everything you wrote.

Adding how to get Chromium to an IRON state would be incredibly useful. I hope you can do that soon.

I’ll tell you one additional thing about IRON’s developer and his behavior that just about has me off of it, completely…

…and that’s that he’s both non-responsive to email (or even forum) inquiries; and — and this is the big one — I’ve started noticing that he’s willing to not allow postings in the IRON forum which hold him accountable for any of these larger issues; or which could, in any way, interfere with whatever are his goals.

I’ve been subtly testing him lately; and it seems I’ve managed to accumulate three postings, of late, in his little moderation vortex; all of them containing some kind of little subtle swipe, but which postings also contain things of value.

For example, in a recent thread, one user remarked that he was certain that a long-standing problem about which he’s complained would be fixed. I responded: “You are? Er… I mean… I’m sorry… of COURSE you are. So am I.”

But then I followed that with apologia, pointing out that that bit of sarcasm was probably not fair because of the admittedly only three bugs that I’ve reported, two of them got fixed; and that while there are many complaints about things in the forum threads, for whatever reason my experience with IRON has been good. Then I explained how I update IRON PORTABLE so as to ensure that it’s as clean as possible; and so maybe it has something to do with how I do that.

That whole posting, apparently, just danced too much on the edge for IRON’s maker, because it has never appeared… almost a week, now, later. Of course, now that I’ve here written that, it’ll probably appear so he can prove me wrong.

But my point is that his doing stuff like that is just unconscionable. Any good forum moderator/administrator knows that the only things that should not be allowed to publish are things so outrageously abusive or spammish that they’re just facially wrong. Anything else must post…

…or so it has always been, in any case, wherever I have been a moderator or admin.

I am most impressed, I must say, with your stated reasons for why you’ve gone after IRON. The whole notion of something being just wrong, and then calling it out for that reason, alone, is exactly what motivates me, as well. I’m an activist, in that way; and so, it seems are you. Perhaps I sensed that in you.

Our doing that, though, attracts no end of critics… many of whom are just plain nuts, as are many of yours, here. It’s the cross we must bear, I guess, for our good works. [grin]

I’m not into all the tech as to why SRWare is private or not however what bugged me was that setup first installed OpenIt an unzipper program this concerned because I wasn’t asked if I wanted it or needed it. If the main program needs unzipping I have zip software why must I download another one. Installing a program I have not agreed to or need makes me suspicious about the motivations of the developer. So when it installed openit I stopped there and uninstalled openit (I used RevoUninstaller and it uninstalled cleanly). If it had been a straight forward download and install like Tor I would have tried it but for now I will be steering clear of it.

While the developer is making money, Google is collecting your info.
I think insane people would choose the latter. Plus the average user isn’t savvy or doesn’t the patience to play with Chrome’s privacy-related settings. Not that this is an excuse, but..

It may be a bit naive to think that companies (Google in this case) would really need the browser to collect data (AdServe, ComScore, SiteStat, etc.)
It is but one more tool they can use to collect data. There is nothing “insane” about using a browser. And while it is perfectly fine to disagree with taking part in this mechanism (I believe, that is why we read and write on this blog) one should be “sane” enough not to believe in the darkest conspiracy theories. Companies want money, they don’t care for YOU, if you know what I mean.
Also, the average user only thinks he is not savvy enough to make a few changes in the settings. Actually Google Chrome’s settings, even the “Advanced” ones are managable quite easily and intuitively.

However, do you admit the program in itself is fine? While the developer may have clutched at straws to make some claims, the Iron browser is a stable and good browser to use, correct?

Now Google forces people to download and install extensions from their store (yet allow with Android), it makes it difficult for some obscure extensions to run. While there is a work around, Chrome will now annoy the user every time it start, which having ticked the “Developer Mode” tickbox, surprises me.

You don’t get that with Iron and you can run extensions from anywhere, so despite the developer making a little bit of money, there is no reason in this article to not use it, as it meets my requirements whereas Chrome from Google doesn’t.

Your tunnelled-vision of “THE IRON DEVELOPER IS LYING” is the only downfall to this article as it’s not balanced in anyway.

I installed the newest version of ‘Iron’ yesterday, 12-7, … and the very first link I clicked on took me to a page with a bogus FLASH INSTALLATION popup. NOT a Flash page, and if I’d not cancelled, probably would have gotten some crap. Uninstalled immediately.
What kind of bs is this ?

I clear all cookies after closing browsers, only to find, with Firefox, that the “Google.com” cookie always reappeared, even right after I deleted it. Why? I thought, can’t I get rid of it? Then I discovered that the PREF Google cookie cannot be deleted, because it is being used by NSA to spy on whomever they want. NO joke.